How to fix Fragment Injection vulnerability

This information is intended for developers with app(s) using unsafe implementation of PreferenceActivity classes that make them susceptible to Fragment Injection. Such implementation can allow a malicious external app to load Fragments that should be private.

What’s happening

Beginning March 1, 2017, Google Play started to block the publishing of any new apps or updates where PreferenceActivity classes may be vulnerable to Fragment Injection. Please refer to the notice on your Play Console. After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.

Action required​

Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.

Update your affected apps and fix the vulnerability.

Submit the updated versions of your affected apps.

Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.

Additional details

Where possible, set exported=false for the PreferenceActivity in your Manifest. This will prevent foreign apps from sending Intents to this class.

If the vulnerable PreferenceActivity must be exported to foreign apps then determine why the class is vulnerable and take the appropriate actions. There are two possibilities:

Incorrect implementation of isValidFragment:

Check if the vulnerable class contains or inherits an implementation of isValidFragment that returns true on all code paths. If this is true, then update the class to check for a list of allowable Fragment classes. For eg: If the PreferenceActivity should allow MyFragment classes and no other Fragments then implement a check like this:

If the app currently sets its targetSdkVersion in the manifest to a value less than 19 and the vulnerable class does not contain any implementation of isValidFragment then, the vulnerability is inherited from the PreferenceActivity.

In order to fix, developers should either update the targetSdkVersion to 19 or higher. Alternatively, if the targetSdkVersion cannot be updated, then developers should implement isValidFragment as described in 1) to check for allowable fragment classes.

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.